The createScheduledSearchFromPackageTemplate() GraphQL mutation field may be used to create a scheduled search from a package scheduled search template.

This mutation is deprecated. Use instead GenerateScheduledSearchFromPackageTemplate().

For more information on scheduled searches, see the Scheduled Searches documentation page. You may also want to look at the Packages page for related information and at the Searching Data documentation page as it relates to saving queries.

Syntax

Below is the syntax for the createScheduledSearchFromPackageTemplate() mutation field:

graphql
createScheduledSearchFromPackageTemplate(
      searchDomainName: RepoOrViewName!
      packageId: VersionedPackageSpecifier!
      scheduledSearchTemplateName: string!
      scheduledSearchName: string!
   ): ScheduledSearch!

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
  createScheduledSearchFromPackageTemplate( 
      searchDomainName: "humio",
      packageId: "crowdstrike/fltr-core@1.3.9"
      scheduledSearchTemplateName: "FLTR aidmaster Generation",
      scheduledSearchName: "my-filr-search"
     )
  { id, queryString, start, end }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createScheduledSearchFromPackageTemplate( 
      searchDomainName: \"humio\",
      packageId: \"crowdstrike/fltr-core@1.3.9\"
      scheduledSearchTemplateName: \"FLTR aidmaster Generation\",
      scheduledSearchName: \"my-filr-search\"
     )
  { id, queryString, start, end }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createScheduledSearchFromPackageTemplate( 
      searchDomainName: \"humio\",
      packageId: \"crowdstrike/fltr-core@1.3.9\"
      scheduledSearchTemplateName: \"FLTR aidmaster Generation\",
      scheduledSearchName: \"my-filr-search\"
     )
  { id, queryString, start, end }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createScheduledSearchFromPackageTemplate(  ^
      searchDomainName: \"humio\", ^
      packageId: \"crowdstrike/fltr-core@1.3.9\" ^
      scheduledSearchTemplateName: \"FLTR aidmaster Generation\", ^
      scheduledSearchName: \"my-filr-search\" ^
     ) ^
  { id, queryString, start, end } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createScheduledSearchFromPackageTemplate( 
      searchDomainName: \"humio\",
      packageId: \"crowdstrike/fltr-core@1.3.9\"
      scheduledSearchTemplateName: \"FLTR aidmaster Generation\",
      scheduledSearchName: \"my-filr-search\"
     )
  { id, queryString, start, end }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  createScheduledSearchFromPackageTemplate( 
      searchDomainName: \"humio\",
      packageId: \"crowdstrike/fltr-core@1.3.9\"
      scheduledSearchTemplateName: \"FLTR aidmaster Generation\",
      scheduledSearchName: \"my-filr-search\"
     )
  { id, queryString, start, end }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createScheduledSearchFromPackageTemplate( 
      searchDomainName: \"humio\",
      packageId: \"crowdstrike/fltr-core@1.3.9\"
      scheduledSearchTemplateName: \"FLTR aidmaster Generation\",
      scheduledSearchName: \"my-filr-search\"
     )
  { id, queryString, start, end }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createScheduledSearchFromPackageTemplate( 
      searchDomainName: \"humio\",
      packageId: \"crowdstrike/fltr-core@1.3.9\"
      scheduledSearchTemplateName: \"FLTR aidmaster Generation\",
      scheduledSearchName: \"my-filr-search\"
     )
  { id, queryString, start, end }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "createScheduledSearchFromPackageTemplate": {
      "id": "Q5c81dMBzdTQxmsLDzw0Olmoyx69I5G3",
      "queryString": "#event_simpleName=AgentOnline OR 
                      #event_simpleName=HostnameChanged\n| 
                      groupBy(aid, function=selectLast(ComputerName), limit=max)",
      "start": "7d",
      "end": "now"
    }
  }
}

Given and Returned Datatypes

The given datatypes RepoOrViewName and VersionedPackageSpecifier are scalars. See the example above to see how to enter their values. The returned datatype ScheduledSearch has its own parameters. Below is a list of them along with their datatypes and a description of each:

Table: ScheduledSearch

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Oct 3, 2024
actions[string]yes  List of unique identifiers for actions to fire on query result.
actionsV2[Action]yes  List of actions to fire on query result. See Action.
allowedActions[AssetAction]yes  The allowed asset actions. See AssetAction.
backfillLimitintegeryes  User-defined limit, which caps the number of missed searches to backfill, e.g. in the event of a shutdown.
descriptionstring   A description of the scheduled search.
enabledbooleanyes  Whether the scheduled search is enabled.
endstringyes  The end of the relative time interval for the query.
idstringyes  The unique identifier of the scheduled search.
isStarredbooleanyes  Whether the calling user has 'starred' the scheduled search. This has been deprecated and is no longer in use and has no effect. It will be removed in version 1.213.
labels[string]yes  The labels added to the scheduled search.
lastErrorstring   The last error encountered while running the search.
lastExecutedlong   Unix timestamp for end of search interval for last query execution.
lastScheduledSearchlong   The UNIX timestamp at which the last query result was processed. This is deprecated and replaced with lastExecuted and lastTriggered.
lastTriggeredlong   Unix timestamp for end of search interval for last query execution that triggered.
lastWarnings[string]yes  The Last warnings encountered while running the scheduled search.
modifiedInfoModifiedInfoyes  User or token used to modify the asset. See ModifiedInfo.
namestringyes  The name of the scheduled search.
packagePackageInstallationyes  The related package. See PackageInstallation.
packageIdVersionedPackageSpecifieryes  The unique identifier for the related package. VersionedPackageSpecifier is a scalar.
queryOwnershipQueryOwnershipyes  Ownership of the query run by this scheduled search. See QueryOwnership.
queryStringstringyes  The LogScale query to execute.
runAsUserUseryes  The unique identifier of the user as which the scheduled search is running. See User.
schedulestringyes  The cron pattern describing the schedule to execute the query on.
startstringyes  The start of the relative time interval for the query.
timeOfNextPlannedExecutionlong   The UNIX timestamp for next planned search.
timeZonestringyes  Time zone of the schedule. Currently, this field only supports UTC offsets like 'UTC', 'UTC-01' or 'UTC+12:45'.
yamlTemplateyamlyes  A template that can be used to recreate the scheduled search.